Data Security: How to Identify and Eliminate the Weakest Links

Earlier this summer, Hanson McClain Advisors got the call that no advisory firm wants to get. Someone had broken into its Sacramento, CA, headquarters and in scouring for money had stolen the firm’s safe filled with back-up data.

Luckily, the firm had several layers of protection on that data, making it nearly impossible for thieves to compromise client information. What’s more, the firm was able to recreate what had been lost.

“These types of things make you revisit every aspect of your security,” says Barry Chapman, IT director at Hanson McClain, which is now doing even more to beef up physical and network security.

The Securities and Exchange Commission requires client confidential information to be protected, and when it comes to doing so many broker/dealers and custodians do most of the heavy lifting. Even so, advisors still must make sure that, on an individual basis, they are protecting client data, and many don’t realize how vulnerable they are to security breaches.

“While many advisors take it seriously, there’s a difference between thinking you’re secure and making your firm bullet-proof,” says John J. Furey, principal of Advisor Growth Strategies LLC, a Phoenix, AZ, consultancy.

Read on for some dos and don’ts to consider when it comes to data security.

Don’t scrimp
The cost of data protection depends on your firm’s needs and size, among other things. But being reactionary verses proactive is the wrong approach. “Spend the amount of money necessary to get all of your data protected,” says Jim Goodland, founder of Securus Wealth Management, a registered investment advisor in Plymouth, MN. “By the time a problem occurs, it could be extremely severe and difficult to fix.”

Be wary of paper
Eighty percent of advisors are still living in a paper world, leaving them vulnerable to all sorts of errors or interception by the wrong people, says Timothy D. Welsh, president of Nexus Strategy LLC, a Larkspur, CA, consultancy. “If you want to lock everything down, do it digitally,” he says.

If you keep sensitive information in paper form, make sure you have adequate locks on your filing cabinets. And don’t leave files in your car or luggage. When you’re getting rid of paper documents, make sure you shred them (after you’re allowed to under applicable state and federal laws).

Don’t use e-mail for transmitting client documents
E-mail, while immensely popular and useful, is not secure, and it a bad idea to e-mail client documents, even internally, Welsh says.

Instead, use a document management system for internal communications. These secure systems allow users to share documents collaboratively, so you don’t have to e-mail them. For external communications, it’s important to have client portals—an online document repository where advisors can post information without having to e-mail it or use snail mail, Welsh says.

Use encryption
Encryption is a hot-button area these days, particular with a new Massachusetts data protection law that went into effect March 1, 2010 that applies to anyone doing business with a state resident regardless of where that business is based. The law requires that personal information—anything that is considered to be unique to that person—be encrypted, says Mark McCreary, a partner in the Philadelphia office of law firm Fox Rothschild.

Instead of trying to figure out which clients are residents of Massachusetts, many advisors are choosing to encrypt everyone’s data with special software. Of course, it can be costly, ranging anywhere from $50 to $250 per employee or more, depending on how sophisticated a product you are getting, but it’s a layer of insurance, McCreary says.

Analyze third-party vendors very carefully
When evaluating potential partners, it’s important to ask questions about how secure your customer data will be in their hands, says Phillip Fournier, chief operations officer of Spire Investment Partners LLC, a registered investment advisor and broker/dealer in Reston, VA.

To a large extent, it’s a trust issue, but you should still ask questions such as: What are your back-up systems for client data? Who has access to the data? Have you had any breaches? Where are your servers located? Is there a secure room?

If you don’t know the answers to these questions, “there can be a lot of unintended consequences,” Fournier says.

Consider hiring consultants to hack into your system
Chapman says Hanson McClain’s losses over the summer were mitigated because the firm had been working with so-called “white-hat hackers” twice a year to test data security. “It’s always the little things you overlook that consultants will typically catch you on,” he says. “They helped us think of strategies to protect the data to the extent that it couldn’t easily be compromised.”

He also recommends changing consultants every so often to ensure you’re getting a fresh set of eyes.

Passwords
Don’t reuse passwords, make them easy to remember, leave them on your computer or in a drawer, or give them to anyone else to use, even once. Consider using phrases and change your passwords every two months.

Limit access to information
Not everyone should have access to the server room or file cabinet and the same goes for electronic files. Document management systems allow only certain people to see certain information. You also can block access to certain data using Microsoft Windows.

If servers are kept on-site, they should be behind a locked door to which only executives have a key. The door also should be strong enough to withstand significant pressure. At Hanson McClain, for example, a reinforced wooden door wasn’t enough to keep the burglar from taking off with a safe full of data. (Locking down your office safe also is a good idea.)

Physical security
Also consider hiring round-the-clock security guards and upgrading your alarm system to use cellular technology so would-be thieves can’t cut the phone line to disable the alarm as they did in Hanson McClain’s case.

Laptops also are easy targets. Chapman’s firm uses a product called Computrace LoJack for Laptops, which in the event of theft allows the firm to track, locate and recover stolen computers and protect sensitive data from identity theft.

Test your backups
Fournier of Spire says his company routinely checks its backups to make sure they work because data can sometimes be corrupt. His firm also has redundant back-up hard drives, e-mail servers, etc., in case the original back-up doesn’t work. “It’s worth it because the day your house is on fire is the day you say, ‘Oh shoot, I should have bought fire insurance,’” he says.

Questions or feedback? Please email us at nextmove@penton.com.